Should Vendor Management Report to Compliance or IT?
Risk management is rarely black and white. What’s best for one financial institution isn’t necessarily best for another. This is especially true when it comes to vendor management.
One common question: Should vendor management report to compliance or IT?
As with many elements of risk management, it depends. Both departments play a major role in vendor management. Neither can skirt responsibility. Yet at the end of the day, someone must oversee the process. The question is which department is best suited to the task.
Compliance’s role in vendor management
Compliance has many strengths to aid in overseeing vendor management. It’s necessary to be familiar with vendor management guidance, and chances are there’s no one at the institution better at breaking down guidance and tracking new developments than the compliance department. It also has experience developing policies, procedures, and controls and monitoring actions to ensure they are followed. It knows how to check the boxes and make sure requirements are met.
While compliance is likely to have the skill set to manage a process like vendor management, it may not have the expertise to understand the technical aspects necessary to assess potential risks and develop controls. To make these determinations, it needs to understand the products or services a vendor provides and how it could fall short in delivering them.
IT’s role in vendor management
While IT doesn’t have to manage vendor management, its specialized expertise is invaluable to the process, particularly when it comes to evaluating the risks of critical vendors. While the compliance department has expertise in controls, it won’t necessarily understand what types of controls are most effective when it comes to cybersecurity or other technical areas. IT can help it understand the specific types of controls necessary when managing cyber risk, business continuity, and other technology-related issues.
For instance, IT knows which vendors have access to protected data and should be aware of vendors’ processes for notifying the institution of a breach and its impact. It understands the flow of data from servers and how often it’s grabbed. It should know what questions to ask when vetting a vendor for reliability, including data backups and disaster recovery. This expertise is essential for informing risk assessments and conducting upfront and ongoing due diligence.
Tips for deciding who oversees vendor management
At the end of the day, one party must be responsible for vendor management. The following questions can help you make the determination:
How does vendor management fit into the institution’s overall approach to enterprise risk management? Vendor management doesn’t happen in a vacuum. It’s a part of ERM. The work conducted in vendor management will touch many departments. Without proper infrastructure and planning, different parties may duplicate each other’s work creating conflicts and inefficiencies.
Rather than assign elements piecemeal, it’s helpful to look at the big picture and strategically assign vendor management and other risk management responsibilities to leverage overlap.
Does one department want responsibility for vendor management? Sometimes you get lucky and one department volunteers to take on a task. Before assigning vendor management, find out if either compliance or IT sees vendor management as a natural extension of its work and is willing to take it on.
Which department has greater bandwidth? If compliance is stretched thin and IT just added new staff or resources, it might make sense to give responsibility to IT. Likewise, if IT is overburdened, it might be best to give vendor management to compliance.
What’s the personality of each department? Sometimes the personalities in a department help determine how suited it would be to taking on a task. Perhaps the person who handles the FFIEC Cybersecurity Assessment is so in tune with inherent risk that it makes sense for him to oversee vendor management. Or maybe IT is so focused on technical elements that it isn’t the best choice for overseeing a process focused on policies and procedures. Similarly, compliance might be led by a Type A person who would excel at vendor management.
In the end, responsibility for vendor management is an operational decision. Regardless of whether IT, compliance, or some other department takes on responsibility for overseeing vendor management, both IT and compliance will play a major role in the process. No one gets to wash their hands of responsibility.
Vendor management can’t happen in a silo.